Fessleak malvertising campaign used to serve ransomware

Invincea has been monitoring the Fessleak campaign in which hackers leveraged Adobe Flash Player exploits and file-less infections to serve ransomware.

Security experts from Invincea are investigating on a new Ransomware campaign originated in Russia that presented many interesting characteristics. The researchers discovered that the attacks started by using file-less infections then moved to the exploitation of zero-day vulnerabilities in Adobe’s Flash Player.

The threat actors identified the ransomware as Kovter, attackers are spreading it from an advertising network that managed ad groups on a number of popular websites.

“Ransomware malvertising can strike at any time, and it typically is dropped from clickbait articles on popular websites or simply by visiting popular sites like DailyMotion.com.”states a blog post published by Invincea. “You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe,”

Initially, the Kovter ransomware was being delivered through an exploit kit, but the researcher has also detected an instance of the malware that is served via a real-time ad-bidding network, which delivers the malicious code without using a single file.

The researchers discovered a Russian criminal crew that is delivering the Kovter ransomware by extracting its code directly from system memory.

The bad news is that the criminals exploited the attention around the time news of the Charlie Hedbo tragedy.

“Next is an example of the new file-less flash malvertising dropped by Russian criminals via a real time ad bidding network. This malvertising doesn’t seem to have a specific name, so Invincea has dubbed this “Fessleak” after the registrant of all of the malicious domains used in the malware delivery. In this instance, a clickbait article on the HuffingtonPost about the terrorist attack on Charlie Hedbo dropped advanced ransomware. You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe. Once this extraction is complete, the malware detects the Invincea container and the malware quits its functions. ” continue the post.

Among the websites impacted by the malvertising campaign, there are also illustrious names like the Huffington Post, as well as Russia Today (RT.com) and CBSSports.com.malvertising campaign, there are also illustrious names like the Huffington Post, as well as Russia Today (RT.com) and CBSSports.com.

After Microsoft patched the privilege escalation flaw (CVE-2015-0016) in Windows systems, the Russian hackers stopped using file-less infections and moved to zero-day exploits.

“Now Fessleak drops a temp file via flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection,” Invincea said

“While Invincea has been tracking this threat actor for months, other notable security professionals have noticed that Fessleak is using advanced Adobe 0-Day exploits to continue to deliver his malware. Kafeine from malware.dontneedcoffee.com notes that Fessleak has now been seen using the very latest Zero-Day Adobe exploit CVE-2015-0311. His excellent write-up, which notes that the latest exploit installs a remote desktop and AdFraud bot is here. TrendMicro also notes that Fessleak, and specifically, one of his “burner” domains, retilio.com was seen to use the same zero-day in this blog post here.”

The experts explained that Fessleak malversting campaign, which is spreading the Fessleak ransomware, is composed of the following steps:

Criminals register a burner domain that has a DNS setting of 8 hours.

The domain is pointed to the page hosting the exploit used to serve the malware, the access to this page is limited to visitors with the correct referral.

Bidding on ads that will trigger the redirection from the legitimate site to the burner domain.

Victims redirected to the page which serves the ransomware.

After eight hours, the burner domain is abandoned by attackers that use a new one with the same process.

“It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it,” confirmed Invincea.

Initially, the attackers included code to exploit the CVE-2015-0311 and CVE-2015-0313 vulnerabilities in the Angler exploit kit, but now the CVE-2015-0313 is included also in another exploit kits like the Hanjuan, while the CVE-2015-0311 was added in Fiesta, Nuclear Pack and RIG exploit kits.

According to Invincea, since December 2014, the following domains have been used to spread Ransomware:

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.